Werk #20082: Fix REST API rejecting automation users when two-factor authentication is required
| Component | REST API | ||||
| Title | Fix REST API rejecting automation users when two-factor authentication is required | ||||
| Date | May 28, 2026 | ||||
| Level | Trivial Change | ||||
| Class | Bug Fix | ||||
| Compatibility | Compatible - no manual interaction needed | ||||
| Checkmk versions & editions |
|
Werk #18639 made the REST API reject requests when the authenticating user still has a required account action pending: completing two-factor authentication, setting up a second authentication factor, or changing the password.
However, this change mistakenly affected automation users as well. They could be required to complete or set up two-factor authentication for two reasons:
- if two-factor authentication was enforced globally or via an automation user's role
- if a regular user had a second factor configured and was later converted to an automation user (the stored 2FA credentials persist).
In both cases agent registration and other REST API calls authenticated as this automation user failed.
Automation users authenticate non-interactively and cannot complete any of the account actions, so none of these requirements apply to them. With this change they are considered logged in as soon as their credentials are verified.